Seattle Information Technology

When Eliud Kipchoge beat the marathon world record this year in Berlin, my jaw dropped. He ran a marathon in 2:01:39! This beat the previous world record by 78 seconds. So, in about the same time that you sit down to watch a movie and snack on popcorn, someone else can run 26 miles. What makes this even more remarkable is that he was so fast that his pacers could not keep pace with him. Eliud had to run almost half of the race alone due to pacers dropping out.

I look at Eliud and think, here is an unbelievable athlete that stands alone, running against soreness, determined with each step to not only win a race but be the best of all time. As he ran alone, it is easy to remark on how he accomplished this all on his own. How he, alone, without help, achieved greatness no one ever dreamed was achievable.

Not to compare being a cybersecurity professional to being a record breaking athlete but I am going to do just that. In many organizations, it is easy to look at the security team and say, it is up to them to make sure we are secure. As the person responsible for cybersecurity in the City of Seattle, I am often stopped in elevators and hallways with the half-joking question, “So, Andrew, are we secure today?” people ask with a smile. They mean it to be a casual remark, but every time I hear that question it reminds me not only of the honor I have to carry this responsibility, but also of the mindset of others that security is always someone else’s problem. Yet, security is everyone’s problem. They think we can snap our fingers and wipe out hackers. As much as I would like to think that we are as powerful as the all-powerful fictional character Thanos, that just isn’t the case (That was a very nerdy reference to a superhero movie. To the twelve of you reading this that got the reference, you are welcome.)

When Eliud beat the world record, he did not do that that alone. He is part of the NN Running Team. He had his coach, Patrick Sang. He had medical assistants. He had physical therapists. He was part of a running team with some of the top athletes in the world, including Kenenisa Bekele and Geoffrey Kamworor, and many others that, collectively, claimed a staggering 52 victories in the first 12 months of the team’s inception. There were his pacers and there were the staff that operated behind the scenes supporting communications, marketing, finance, and operations. You get the point. While it may appear that one person did it all, it took many supporting the goal to achieve success.

For the City of Seattle, or any other organization for that matter, to achieve success in cybersecurity, it can not be up to a team labeled as security professionals.

This October marks the 15th anniversary of National Cybersecurity Awareness Month. One of the key messages for this year’s cybersecurity awareness campaign is “Tackle it Together.” Cybersecurity is a cross-cutting, cross-sector problem and must be tackled together. We are all connected in this thing we call cyberspace and each of us have a role to play in cybersecurity.

What does this mean for you?

This means reporting suspicious phishing emails to your security team so that they can make sure others are not receiving the same phishing scam.

This means stopping the individual attempting to tailgate behind you without badging in and saying, “Would you mind badging in?”

This means following security policies, even when it would be easier not to follow them.

This means locking your workstation every time you get up from your desk.

This means taking the time to read regulatory compliance requirements if they pertain to your job.

No single security team can accomplish cybersecurity on its own. Like Eliud, we may get the attention when there is success, but we also recognize that success is only because of the many individuals who helped behind the scenes to get us there. To the many, many individuals who help the City stay secure without any expectation of acknowledgement, thank you. We cannot do it alone, and we recognize every day that we stop threats only because of those vigilant, security-minded individuals like yourself that take that extra step to report those threats to us.

As we conclude this three-part series of blogs for cybersecurity awareness month, I want to put a twist on ending with three tips. Rather than leave you with three security tips, I want to leave you with three quick biographies of cybersecurity heroes that have inspired me in my growth as a cybersecurity professional:

Dark Tangent (AKA Jeff Moss) I cannot give a list that does not recognize this Seattle great whose handle is known among hackers around the world. Jeff launched the first Defcon hacker conference in the early 90’s. In 2018, this conference had over 27,000 attendees doing everything from social engineering competitions, hacking medical devices, finding new vulnerabilities in automobiles, cracking safes, and cracking complex cryptographic puzzles. This last Defcon, Emily Skinner, an 11-year-old girl, demonstrated her ability to hack into a voting system to modify election results in under ten minutes. No other conference in the world has done more to encourage cybersecurity research, raise security awareness, and find innovative ways to tackle security threats. And no other conference has done more to bring together misfit rebel computer geeks to a place where it is socially acceptable to go to a party and talk about ROP chains, heap overflows, Z-Wave spoofing, and malware obfuscation packers as if those were cool topics. Jeff Moss had the drive to create a safe place to foster security research, awareness, and honest discussions to find solutions to today’s challenges.

Woz (AKA Steve Wozniak) Many people know Steve Wozniak as the co-founder of Apple (or his Samba performance on Dancing with the Stars). What many do not know is that Woz, at his core, is a hacker. He started out as a “phone phreak”, a term for people who hacked phone networks (I’m sure it was a cool term at the time). In the 1970s he was known as “Berkeley Blue” and would create “blue boxes” that would allow him to hack into phone networks and make free calls. Woz learned how to make these blue boxes from another phreaker, Captain Crunch, aka John Draper. John discovered that the whistle that came in the Cap’n Crunch snack boxes generated a tone at exactly 2,600 Hz, and could be manipulated to generate the exact tone needed to trick pay phones into entering a mode that allowed for free calls. Now, as the CISO for the City of Seattle, I do not condone hacking illegally. Woz himself has said many times that he never once hacked a computer “for real”, but rather was trying to figure out how technology worked, how to find holes in security controls, and how it could be manipulated to do things it was never meant to do. He would read electronics journals for fun, build TV jammers, and trick friends into giving up credentials. But it was never about committing crimes. What Woz taught us all was that we should never take technology at face value. Never trust a vendor’s promises completely. Security research that discovers a bug will only benefit everyone (when following responsible disclosure). He taught us all that the technology we use is built by fallible humans like all of us, and that testing the technology to see if it can act in ways it was never intended to do was not only useful, it was best practice. He pioneered quality assurance, quality control, development operations, penetration testing, and reverse engineering well before his time.

Al-kindi (AKA Abu Yusuf al-Kindi. Al-kindi) was a 9th century Muslim philosopher, mathematician, astronomer, medical doctor, and all-around genius of his time. Al-kindi is known as one of the great fathers of cryptography. What made Al-kindi so influential was not that he created advanced algorithms that are so secure they can not be solved today, but rather that he developed a formal approach to breaking cryptography. He flipped the hiding of messages on its head, and sought ways to reverse engineer cryptographic algorithms, and birthed a new study of cryptoanalysis. He is believed to have authored over two hundred books, and this is before the days of Wikipedia! One of his most famous books is called “On Deciphering Cryptographic Messages”, which was revolutionary at the time in cracking cryptographic messages. Al-kindi used frequency analysis, where he looked at the frequency of common letters and words. If you ever watched the game show Wheel of Fortune, you have seen Al-kindi’s cryptographic frequency analysis in action. Why do contestants often choose the same letters, such as R, S, T, L, N, and E? Because those are the most common letters in English text. On average, the letter E accounts for 12.7% of letters in English text, while J, Q, X, and Z combined add up to less than 1%. Now I’m oversimplifying Al-kindi’s work but think of him as the person who discovered that to win the game show you should pick those letters. Would you believe that Al-Kindi’s frequency analysis helped save Elizabeth I’s life? A codebreaker, using Al-Kindi’s approach, was able to crack a message detailing an assassination attempt on her life. Some have said that Al-Kindi’s work laid the foundation for the cryptoanalysis that cracked the Enigma machine in World War 2, saving thousands of lives in the process. For me, Al-Kindi’s story has taught me that you do not always need to be the one that builds the solution. The one who analyzes, discovers patterns, and breaks the code is equally important. You do not have to be the person who develops the software, architects the network, or builds the next disruptive mobile application that flips market trends. There will always be a need for that person that questions the norm, challenges what is accepted, and pokes holes in security. In doing so, new solutions can be made to further cybersecurity and cryptography, protecting everyone until the next cycle completes.

May we never forget the pioneers before us, and may we aspire to be those thought leaders and influencers that inspire future generations as those before us have inspired us.

Director of Security, Risk, and Compliance Andrew Whitaker leads information assurance, security operations, regulatory compliance, and IT policy across all City departments. His cybersecurity specialties include building lean security programs, integrating security into business processes, intelligence-driven threat modeling, and security awareness and training.

He has over 20 years of experience in both the public and private sector, leading consulting services for defense, federal, and intelligence agencies, all branches of the US military, and over a third of the Fortune 500 companies.

When I was ten my parents sent me to summer camp. Unfortunately, I was one of those kids who always found myself hanging out with the “wrong crowd”. At summer camp I made a friend named Jacob who taught me how to pickpocket. So, while other kids were learning to weave baskets, we were walking around practicing our wallet-stealing skills. It was a futile effort, as ten-year old kids don’t often carry wallets and, if they do, it was usually to store Garbage Pail Kid trading cards and not money.

Luckily, I grew out of that summer hobby. I often wonder if Jacob is still pickpocketing today. If he was clever though, he would have learned by now that there is a much easier way to steal a wallet. Can you guess the easiest way to steal a wallet? It is by simply asking for it.

The easiest way to steal someone’s money is to scam someone into giving it to you freely. This is why multilevel marketing scams, Ponzi schemes, and fake charities are far more dangerous than a thief trying to pickpocket you. These scams trick people into giving money, often for long periods of time, and in large amounts.

In the same way, the easiest way to hack your password is not by a sophisticated hack. It is not even by guessing. It is much easier than that. It is by tricking you into giving up your password through phishing scams.

A phishing scam is when a hacker spoofs an email to appear legitimate and attempts to trick someone into giving up a username and password. Common approaches include pretending to be someone high-up in your company, IT support staff, an online gift or greeting card, or a shipping company with an important message. All of them will, in one fashion or another, attempt to trick you into clicking on a link that takes you to a website requesting you to enter your username and password. In other words, phishing is throwing out bait and hoping you fall for it. It is like fishing, except with a ‘ph’, because security professionals think changing an ‘f’ to ‘ph’ is cool (yah, I don’t get it either).

Here are three quick tips to protect yourself from phishing attacks:

Do not click on links from people you do not know. Remember that saying your parents taught you, “Don’t take candy from strangers.” Hackers will often hide the real address of a malicious website by disguising it in an email with a link that looks legitimate. I’ll spare you the technical details, but it’s as easy as slipping on your costume for your neighborhood Halloween party. Not hard to disguise, but it masks the real identity. If you are sent this at work, contact your security team. If at home, one quick tip is to hover your mouse cursor over the link and, after a second or two, you should see the real website address appear either next to the link in the email or in the bottom of the browser window (your mileage may vary; this does not work with every email client). If the link looks suspicious in any way, such as a series of random characters, do not click on it.

*As a quick side note, pay special attention to random text messages with links. This is a common technique today, as people are often far more likely to click on a link on their cell phone than their computer. If you receive a text message from someone you do not know, and it contains a link, do not click on it. Delete it. And be sure to high five yourself afterword knowing you were not tricked by the foolish hacker.

Grammar counts. Many of the phishing attack emails use poor grammar, have misspelled words, and even uncommon fonts. Sure, it may be a sign of the hacker using English as a second language, but in the days of spellcheck and grammar check, there is no excuse for poor grammar and spelling in phishing emails. Many email clients will even show you those squiggly red lines underneath words that are not recognized. Are hackers so dumb that they do not know how to write a grammatically correct email? Are they that lazy that they ignore those red squiggly lines letting them know that a word is misspelled, or a sentence is not using proper grammar? I’m going to let you in on a secret: The misspelled words and poor grammar found in many phishing emails are often intentional. The general theory is this: if a person is willing to fall for an obvious fake email, despite numerous clues like poor grammar and spelling, then the person is highly susceptible to not only being scammed but being scammed repeatedly and not reporting it.

Remember this saying, “you are a target.” The majority of hackers are opportunists. It is a numbers game. If they cast a wide enough net, they will catch someone with their phishing scam. In the City of Seattle, over half of all email sent to the City are spam or phishing attempts that are, luckily, blocked before they even enter our network. There are others that are just sneaky enough to get past our protections, and when they do, we have a staff dedicated to detecting, removing, and blocking those emails before they impact City employees. They use similar tactics, requesting employees to click a link and enter credentials to access a file or a message that is “urgent”. They don’t care who falls for it; they are playing the numbers game. Remember, you, and I, are targeted just like everyone else. That does not mean we have to be paranoid, but if you remember that most hackers are looking for targets of opportunity, then you can approach technology in a safe and secure manner. You’ve probably heard of the importance of being ‘street smart’; well, think of this as being ‘digitally smart’.

Director of Security, Risk, and Compliance Andrew Whitaker leads information assurance, security operations, regulatory compliance, and IT policy across all City departments. His cybersecurity specialties include building lean security programs, integrating security into business processes, intelligence-driven threat modeling, and security awareness and training.

He has over 20 years of experience in both the public and private sector, leading consulting services for defense, federal, and intelligence agencies, all branches of the US military, and over a third of the Fortune 500 companies.

Stories of identity theft and data breaches are all too common in our headlines these days. If the cybersecurity headlines of 2018 were put in a book, every page would reveal a depressing fact.

A social media giant has 87 million records breached

An apparel company has 150 million records breached

A marketing firm has 340 million records breached

Cities hacked across the country

State-sponsored hacks against voting systems

You get the idea. By the time you reach half way through the book of headlines, you are ready to put it down. Is there any hope for living in a world where our online identities can be safe?

I enjoy reading suspense novels. A good suspense novel leads the reader to a point of insurmountable odds, only to have the one lucky break that allows the heroine or hero the opportunity to escape the villain, solve the crime, or rise above the disaster. I read suspense novels to remind me that no matter how bombarded we are with news of data breaches, there is always a way to turn the story around.

Yes, data breaches happen. Yes, online technology is always a risk. Of course, we take risks all the time. One the time I decided to eat sushi in a diner in the middle of the Pocono Mountains. Trust me, I won’t do that again any time soon! So yes, bad things happen to all of us. Headlines about data breaches have not stopped people from going online, but it should make us more aware of the dangers and be smart about how we go online.

This October marks the 15th anniversary of National Cybersecurity Awareness Month. Seattle Information Technology joins a collaborative effort between the U.S. Department of Homeland Security and the National Cyber Security Alliance to help raise awareness during this month. Over the next few weeks, we will share a series of short blog articles on how you can take small steps that can make huge impacts in protecting your identity when using technology online.

For this first post, let’s talk about secure passwords. Now, I know that doesn’t sound very exciting, and I wish I was talking about some advanced hacker technique, but the reality is that weak passwords remain the number one way hackers get into accounts. No matter what online service you use, chances are that the website requires you to log in with a username and password. They identify and authenticate your identity.

Here are three tips to secure your passwords:

Use long passwords. I’ll spare you the fancy mathematical algorithms to just say that the longer the password the harder it is to figure out. In fact, in most cases, that matters more than the complexity. For example, take a lottery ticket. How easy would it be for someone to get the winning number if the lottery ticket only had four numbers each ranging from 0-9? Now, many in the security community will debate what the right number of characters should be, and rather than if the password should be eight or thirty characters. I suggest this: Try to improve your cyber presence by increasing the number of characters in your password by four characters this year. Whatever passwords you currently use now, change them and add four more characters. Next year, increase it again. When you get to twenty characters or more, you can stop, because at that point you are just typing the alphabet.

Don’t write down your passwords. If you were to look in your wallet or purse right now, chances are your driver’s license or other identification is there. Whether you are going through TSA at an airport security line, or entering a 21 an over bar, you are asked to validate that you are who you are, and that is done through a form of identification. Your physical ID is not unlike your password. You let others look at it, but you do not give it away. In the same way, secure your passwords. Do not give them away by writing them on notes and sticking them around your computer. There are several secure password management tools to help secure your passwords. I use KeePass. LastPass is another popular one. Both store your passwords in a secure location and require a strong password to unlock and access passwords.

Change your social media and email account passwords frequently. Many websites these days offer you the option of connecting to your Facebook, Google, or other popular online account. Using that integration takes away the challenge of remembering multiple passwords. Yet, if your password is ever compromised, ever site that uses the same authentication through Facebook, Google, or other popular sites, will also be compromised. Often, hackers will hold on to those passwords for a long time, trying to sell them to other people, and you won’t even realize that you have been hacked for months later. Changing your password frequently protects you if your password is compromised, and you do not know it yet. How often should you change your password? Security professionals argue everything from once a month to once every six months. I recommend keeping it simple: change your password every time you change your toothbrush (assuming, of course, you change your toothbrush regularly!). The American Dental Association recommends that you replace your toothbrush approximately every three to four months. If you can remember that, just change your passwords next time you change your toothbrush. Your online identity and your dentist will thank you!

Director of Security, Risk, and Compliance Andrew Whitaker leads information assurance, security operations, regulatory compliance, and IT policy across all City departments. His cybersecurity specialties include building lean security programs, integrating security into business processes, intelligence-driven threat modeling, and security awareness and training.

He has over 20 years of experience in both the public and private sector, leading consulting services for defense, federal, and intelligence agencies, all branches of the US military, and over a third of the Fortune 500 companies.